Solved: How to combine two different search results in a s...

kenvanderheyden · ‎02-02-2015

Hello,

I'm having trouble combining two different search results, from different source type into one visualization.

These are the two search strings:

index=* sourcetype=typeA| stats count by date_year | eventstats avg(count) | rename count as "total", avg(count) as "global average"
index=* sourcetype=otherTypeB| stats count by date_year | eventstats avg(count) | rename count as "total", avg(count) as "global average"

Both searches result in a line.
I would like to see both in one visualization, so the correlation between the events if there is one, becomes visible.

Tried using a join:

index=* sourcetype=typeA| join date_year [search sourcetype=otherTypeB] | stats count by date_year | eventstats avg(count)

But this results in having a single line.
Not sure how to proceed from here on.

Regards,
Ken.

kenvanderheyden · ‎02-02-2015

Found a simple solution:

index=* sourcetype=type1 OR sourcetype=otherTypeB
| timechart count(eval(sourcetype=="type1")) , count(eval(sourcetype=="otherTypeB"))

View solution in original post

kenvanderheyden · ‎02-02-2015

Found a simple solution:

index=* sourcetype=type1 OR sourcetype=otherTypeB
| timechart count(eval(sourcetype=="type1")) , count(eval(sourcetype=="otherTypeB"))

How to combine two different search results in a single visualization?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!